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Summary 

In  some  situations  encountered  today  the  components  are  so  reliable 
that  no  failures  are  observed  within  the  time  available  for  testing.  This 
can  pose  a  problem  in  data  analysis  and  interpretation.  We  consider  here 
the  problem  of  determining  lower  confidence  bounds  on  the  reliability  of 
a  complex  system,  such  as  the  Saturn  1-C,  when  each  component  is  assumed 
to  have  an  exponential  life  and  different  components  have  different  multi¬ 
plicities  within  the  system.  We  discuss  and  compare  the  confidence  limits 
obtainable  from  various  interpretations  of  the  data  and  several  theories 
such  as  asymptotic  likelihood  ratio,  asymptotic  maximum  likelihood,  the 
Bayesian  method  and  the  new  method  presented  here  utilizing  the  conditional 
probabilities  of  malfunction  of  the  components  given  that  a  malfunction  in 
the  system  has  occurred. 


Introduction 


The  problem  of  determining  the  probability  of  successful  operation 
of  a  large  complex  system  when  one  has  data  only  on  the  reliability  of 
the  components,  has  over  the  past  decade,  been  the  subject  of  many  in¬ 
vestigations.  A  large  portion  of  these  reports  were  proprietary. 

However  much  of  this  vast  literature  either  consists  of  amalgams 
of  engineering  judgement  and  untutored  statistical  intuition,  or  the 
study  is  based  on  an  asymptotic  theory  for  which  the  precision  of  the 
approximation  is  unknown  or  the  analysis  is  based  on  subjective  prior 
assumptions  utilizing  Bayesian  methods. 

The  economic  importance  of  correct  assessment  of  the  system  relia¬ 
bility  before  full  scale  testing  can  hardly  be  underestimated  in  nearly 
any  of  the  current  aerospace  programs.  The  desire  to  find  an  acceptable 
solution  can  be  seen  from  the  inclusiveness  of  the  proprietary  report  of 
Dalton  [2]  which  ostensibly  compares  many  of  these  techniques.  We  also  men¬ 
tion  the  comparison  made  in  [11]  and  the  many  references  given  in  [2]. 

The  fact  is  estimating  mean  time  until  failure  or  the  probability 
of  failure  (under  many  models),  requires  that  at  least  one  failure  be  ob¬ 
served.  The  plea  which  is  often  made  to  the  preliminary  testing  program 
for  more  data  is  sometimes  nothing  but  a  covert  wish  for  more  failures. 

Thus  tne  statistician  is  put  in  the  uncomfortable  position  of  having  less 
and  less  confidence  in  his  interval  estimates  of  reliability  when  fewer 


and  fewer  failures  are  observed  due  to  the  fact  the  reliability  is  be¬ 
coming  higher  and  higher.  Ultimately,  when  the  system  becomes  perfect 
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and  no  failures  are  observed  the  statistician  has  no  confidence  if  his 
statistical  procedures  are  necessarily  based  on  failure  analysis.  In 
this  unsatisfactory  situation  it  is  an  understandable  reaction  of  pro¬ 
gram  managers  to  form  a  distrust  of  statistical  inference  and  its  "num- 
erologists"  as  well.  And  as  indication  of  this  disenchantment  see  [3]. 

In  this  note  we  address  the  problem  of  deriving  appropriate  statis¬ 
tical  techniques  which  will  be  valid  when  there  is  a  paucity  of  observed 
failures  in  the  components  which  have  been  tested. 
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1.  The  Basic  Model 

Consider  a  large  complex  system  which  has  been  designed  to  perform 
in  a  specified  manner  when  all  of  its  components  are  operating.  At  ques¬ 
tion  is  the  length  of  time  during  which  it  can  perform  adequately,  or 
equivalently,  the  confidence  we  can  have  that  it  will  perform  adequately 
for  a  specified  time. 

Suppose  we  postulate  that  each  component  of  the  system,  as  well  as 
the  system  itself,  is  either  performing  adequately  or  is  in  a  failed  state. 
Hence  at  any  time  t  for  the  i^  component 

1  indicates  performance 

xi(t)  - 

0  indicates  failure. 

The  stochastic  process  X^(t)  is  called  the  performance  process  of 
the  i^  component.  Let  £(t)  *  (X^  (t)  , .  .  .  ,X^(t) )  indicate  the  state  of 
all  the  components  at  any  time  t  >  0.  The  state  of  the  system  formed 
from  these  components  is  given  by  the  system  structure  function  which 

is  a  non-decreasing  function  on  the  vertices  of  the  hypercube  of  dimension 
m  and  such  that 

4>(1,...,1)  ■  1  and  <K0,...,0)  -  0. 

This  class  of  functions  is  called  coherent  of  order  m  and  has  been 
studied  previously  in  [4]  and  [6].  Thus  the  stochastic  process 

*(t)  -  <X(t), 

where  juxtaposition  indicates  composition,  defines  the  performance  process 
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of  the  system.  We  are  interested  in  the  probability  of  perfect  perfor¬ 
mance  of  the  system  for  a  mission  of  length  t,  namely 

(1.1)  P[4>(s)  -  1,  0  <  s  <  t]. 

The  problem  is  that  one  has  only  a  limited  amount  of  data  about  the 
reliability  of  each  of  the  components  so  that  at  best  one  can  obtain  a 
lower  confidence  bound  on  (1.1),  for  a  fixed  mission  of  given  length.  We 
shall  make  the  specific  assumption 
1°  The  random  variables 

Ut  -  inf{t:X1(t)  -  0}  i  -  1 . m 

are  called  the  times  until  failure  for  each  component  and  are 
independently  distributed  by 

P[Ut  >  t]  -  e“Qi(t)  for  t  >  0 

where  is  the  hazard  function  of  U^. 

In  this  context  a  minimal  out  has  been  defined,  in  [6],  as  a  mini¬ 
mal  set  of  components  such  that  if  all  are  simultaneously  failed  the  system 
must  be  in  a  failed  state.  The  performance  process  of  the  system  can  then 
be  related  to  the  performance  process  of  the  components  in  the  usual  fashion 

through  the  minimal  cuts  . by 

m 

(1.1.1)  $£<t)  -  n  n.&(t) 

j-1  J 

where 

(1.1.2)  n  &(t)  -  l  -  n  (l-x  (t)) 

J  -i  c-r  1 
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for  all  t  >  0.  This  representation  is  well  known,  see  [6]. 


We  can  now  prove 


Theorem  1.  Under  assumption  1°,  there  exists  frr  any  coherent 
structure  <p  with  minimal  cut  sets  C^,...,C  a  set  of  integers 
V—V  with  the  number  of  the  which  contain  i  as 

a  member ,  and 


P[<*>(t) 


m 

1  .1  exp[- £v  Q<(t)  ]  for 
1  J  - 


t  >  0. 


Proof:  By  a  fundameatal  result  of  Esary,  Proschan  and  Walkup,  theorem 
3.3  [ 5] ,  we  have 

k 

P[$£(s)  -  1,  0  <  s  <  t]  >.  n  P[n,&(s)  -  1,  0  <  s  <  t] 

j«l  J 


where  n^(s)  was  defined  in  (1.1.2).  But  notice  that  as  events 
[nj&s)  -  1,  0  <  s  <  t]  -  HlieC  (l-X^s))  -  0,  0  <  s  <  tPtn  [XjCO  -  1] 

and  it  is  the  probability  of  this  last  event  which  is  easily  computed. 

Hence  by  assumption  1° 


-Qt(t) 

Pin  Ms)  -  1,  0  <  s  <  t]  i  n  P(X  (t)  -  1]  -  n  e 

J  ieCj  ieCj 

k 

In  P(«(t)  -  1]  >  -£  E  Q<(t> 

J-l  ieCj 


and  reversing  the  summation  yields  the  result  claimed. 


This  result  provides  a  lower  bound  on  the  reliability  of  any  struc¬ 
ture  in  terms  of  a  series  system  with  the  multiplicities  of  the 

components  suitably  chosen.  Moreover  if  component  reliabilities  are  very 
high  the  system  itself  begins  to  behave  like  its  weakest  links,  namely 
its  minimal  cuts,  and  its  reliability  becomes  closely  approximated  by 
the  bound  given.  In  view  of  the  theoretical  simplicity  and  the  approxi¬ 
mate  equality  of  the  bound  given  in  the  many  practical  cases  when  hazard 
rates  are  small,  we  shall  henceforth  assume  that  we  seek  a  lower  confidence 
bound  for  such  a  series  system  reliability.  This  we  take  as 

-Ewo 

(1.2)  e  1  for  t  >  0, 

where  are  known  constants  determined  from  the  monotone  functional 

representation  41  of  the  system  and  are  unknown  hazard  functions  of 

the  components. 

Keeping  in  mind  the  missile  systems  which  are  the  archtype  of  this 
model,  it  is  often  necessary  to  assume  that  a  different  representation 
of  the  form  (1.2)  is  assigned  for  each  separate  phase  of  the  missions. 
Henceforth  we  assume  that  such  a  phase  is  given  and  fixed. 

2.  Beta  Factors 

We  now  make  a  distinction  between  malfunction  and  failure  of 
a  component.  In  actuality  a  malfunction  in  the  component  may  cause  only 
degraded  performance  of  the  component  instead  of  a  complete  failure.  This, 
by  definition, will  result  in  a  system  failure  (or  vehicle  loss  in  the 
archtype  missile  system)  since  we  have  reduced  our  assumption  to  that  of 


a  series  system. 
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It  becomes  expedient  to  extend  the  model  and  allow  the  concept  of 
malfunotion  which  if  occurring  at  a  given  time  in  the  mission  may  or  may 
not  result  in  component  failure.  A  failure  thus  is  a  special  case  of 
malfunction. 


We  now  make  two  very  specific  assumptions 

2°:  A  malfunction  in  the  i^  component  during  the  time  interval 
(t,t+h>  of  a  mission  will  result  in  a  component  failure 
causing  vehicle  loss  with  a  certain  probability  6°(t)*h. 

3°:  The  time  until  malfunction  of  the  iC^  component  is  exponential 
with  hazard  rate 


It  follows  that 


lim  £  P[Xi(t+h)  -  0|Xi(t)  >  0]  -  XiBj(t). 
h-*0 

t 

From  the  definition  of  we  have  Q^(t)  -  J  X  fi  °(x)dx 

0  1  1 
r  t+h 

P[Ut  >  t+h|Ui  >  t]  -  exp  {-J  Ai61(x)dx}. 


For  a  mission  of  fixed  length  tp  we  define  the  beta  factors  8^, 
which  are  constants,  by  the  equation 

So 

6tt0  -  vi  J  6°(x)dx. 


Thus  the  probability  of  vehicle  safety  over  the  time  interval  (0,tg), 
i.e.  the  reliability  of  the  system,  is  from  (1.2) 


expf-^X^tg} 


(2.1) 
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Without  loss  of  generality  we  shall  henceforth  assume  that  all  time 
intervals  are  expressed  in  fractions  of  this  fixed  mission  length  tQ, 


to  wit,  assume  t 


0 


1. 


th 


For  the  i  component  we  will  refer  to  both  the  (average)  beta  factor 
0^  and  0°,  the  conditional  probability  of  failure  given  a  malfunction 
in  that  component,  as  0-factors.  The  usage  will  make  clear  which  is  meant. 

Although  we  define  0^  as  an  integral,  in  practice  it  is  ordinarily 
a  sum.  Usually  the  mission  phase  is  divided  into  periods  and  the  8-factor 
is  taken  as  constant  during  each  period.  Suppose  the  0-factor  is  0°^  for 
the  i^  component  during  the  period  of  the  mission  phase.  Hence  the 


(r) 


time  intervals  (t^  t^)  j*l,...,r,  where  t^  =  0,  t"'  *  1  by 

our  convention,  would  constitute  the  r  phases.  We  would  then  have 


(2.2) 


i  -  tO'(j)  -  ^-“i. 

j-i 


Notice  that  incorporating  0-factors  into  the  model  to  evaluate  the 
probability  of  vehicle  loss,  as  a  consequence  of  assumptions  2°  and  3° 
changes  the  entire  nature  of  (1.2)  since  (2.1)  involves  only  a  known  linear 
combination  of  the  unknown  failure  rates  X^. 


3.  The  Data 

In  many  cases  the  first  type  of  data  one  has  concerning  the  reliability 
of  the  components  comes  from  environmental  tests.  This  test  data  must  be 
transformed  by  engineering  evaluation  into  the  equivalent  operational  time 
during  the  given  phase  of  the  mission.  Those  factors,  which  transform  en¬ 
vironmental  test  time  into  the  equivalent  phase  time  called  the  environmental 
factors  or  E-factors,  are  used  in  industrial  practice,  see  [1]. 

An  E-factor  is  a  number  used  to  modify  one  unit  of  test  time  so  that 
it  may  be  expressed  in  the  appropriate  units  of  equivalent  mission  phase 
time.  For  example,  if  one  unit  of  test  time  is  equivalent  in  severity  to 
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one-half  of  a  unit  of  time  during  a  certain  phase  condition  then  the  E- 
factor  is  .5.  In  other  words  two  units  of  test  time  at  this  speci¬ 
fied  condition  of  environmental  severity  to  one  unit  of  mission  phase 
time . 

Specifically,  during  the  first  phase  of  a  mission  a  component  may 
experience  several  types  of  vibration,  several  temperature  and  humidity 
changes.  Consequently,  testing  the  component  in  these  separate  environ¬ 
ments  must  yield  results  requiring  a  transformation  into  the  appropriate 
mission  phase  equivalent  time. 

We  do  not  discuss  further  the  derivation  of  these  transformations 
but  we  merely  point  out  that  in  such  instances  the  data  on  the  operational 
behavior  of  the  components  are  not  god-given,  but  rather  are  the  construct 
of  prior  engineering  knowledge  and  judgement.  We  remark  also  that  E -factors 
are  not  the  same  as  g-factors.  Beta  factors  are  determined  from  the  systems 
vulnerability  to  a  malfunction  of  a  given  type  during  a  certain  phase  of 
mission.  On  the  other  hand  E-factors  are  used  to  accelerate  the  testing 
and  reduce  its  expense. 

Keeping  this  point  in  mind,  the  statistician  is  ultimately  provided 
with  data  on  all  the  components  in  the  form 

(3.1)  xi  *  (ti,ni)  i  -  1 , . .  .  ,m 

where  t^  is  the  total  time  (in  fractions  of  the  mission  length)  the  i1"*1 
component  nas  been  operated  and  n^  is  the  total  number  of  malfunctions 
of  the  i*"*1  component  during  time  t^. 

We  now  make  some  interpretations  of  these  data. 


vv 
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Interpretatlon  I.  Suppose  it  was  decided  to  run  the  i  component 
for  a  fixed  period  of  time  t^  and  count  the  number  of  malfunctions.  From 
assumption  2^  it  follows  that  the  time  t^  is  a  known  parameter  while 
n^  is  an  observed  value  of  a  Poisson  random  variable  with  density 

e~Xiti(X  t  )n 

(3.2)  - —  n  ■  0,1,... 

n. 


Interpretation  II.  We  now  regard  the  time  until  the  occurrence  of 
the  preassigned  n^^*  malfunction  (n ^  1)  for  the  i  component  as  the 

observed  value  of  a  random  variable.  Let 

(3.3)  Si  -  Tt(l)  +  ...  +  Ti(n.) 

denote  the  tfme  of  the  n^*1  malfunction  of  the  ith  component  where  ni  ^  1 
is  given  and  where  T^k)  is  the  exponentially  distributed  time  between 
the  (k-l)st  and  the  k*  malfunction  of  the  i*  component. 

Now  the  data  (t^,n^)  means  having  observed  the  event 

(3.4)  IS1it1)niSi  +  I1(n1+l)  >  t.J. 

In  words;  the  n^*1  malfunction  took  place  on,  or  before  time  t^  and 
the  (n^+llst  malfunction  had  not  occurred  at  that  time. 


If  n  2.  1 »  then  we  must  have  observed  the  event 

(3.5)  [St  -  slOtT^n.+l)  >  t±  -  s ] 

for  some  0  <  s  <  t^.  Or  on  the  other  hand  if  n^  *  0,  we  must  have 
observed  the  event 


(3.6) 


[Ti(l)  >  tiJ 
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Now 


the  density  of  S^,  is  the  gamma  density,  (p.  74,  ref.  [7])  given  by 


(3.7) 


n,  n  -1  -A . s 
,  i  i  l 
A  ^  s  e 

(ni~l) ! 


for  s  >  0 


which  one  may  use  to  evaluate  the  probability  of  the  events  (3.4),  (3.5) 
and  (3.6).  We  defer  this  until  later. 


4.  The  Asymptotic  Maximum  Likelihood  Method 


In  case  interpretation  I  holds, one  can  verify  easily  from  the  density 
given  in  (3.2)  that  the  maximum  likelihood  estimate  of  A^  is  A^  ■  n^/t^. 
But  also  under  interpretation  II  the  likelihood  of  the  event  (3.5)  using 
the  density  in  (3.7)  is,  except  for  some  constant  not  depending  upon  A^ 

(4.0.1)  nilnAi  +  s  ~  “  A^t^-s) 

and  the  maximum  likelihood  estimate  of  A^  is  again  A^  as  given  above. 

Moreover  the  probability  of  the  event  (3.6)  is  e  and  the  value  of 

A,  which  maximize  this  is  A  *  0. 
i  l 


Thus  under  either  interpretation  of  the  data  we  obtain  the  maximum 
likelihood  estimate  of  A ^  is 


(4.1) 


and  we  note  that  A^  *  0  if  n^  =  0. 

Let  A  “  (A^,...,Am)  denote  the  vector  of  component  rates  and  A  the 


corresponding  vector  of  maximum  likelihood  estimates. 
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We  now  state  the  appropriate 

Theorem  2.  If  X  is  the  maximum  likelihood  estimate  of  the  tr'uc 
component  hazard  rate  vector  then  g(X)  is  asymptotically 

normal  with  mean  g(A)  and  variance 

"2  ^  J  A 

0  E  X)  l 3 i 8 ( x >  ]  var(X  ) 
j  =  l  J  J 

whenever  the  partial  derivatives  of  g  exist. 


The  proof  is  well  known  and  is  given  in  many  texts,  e.g.[12],  To 

m 

utilize  this  theorem  we  take  g(X)  »  X!  B .  A  and  first  make  Interpretation  I. 

1  1  1 

It  follows  from  A^  -  where  is  a  Poisson  random  variable  with 

mean  ( t ,  that 


1  i 

var(A  )  -  — —  var(N.)  -  — 

tf  Ci 


2 

o 


m 


Ssi2f  • 

1  i 


Now  we  make  the  notational  convention  to  be  used  subsequently  that 


(A. 2) 


i  —  1 , . . . ,m. 


Hence  we  can  estimate  the  standard  deviation  by 


Thus  by  theorem  2  and  the  consistency  of  3  we  know  that  [ g ( A )  -  g(A)]/<3 
is  asymptotically  a  normal  zero,  one  random  variable.  (Strictly  speaking 
the  Theorem  2  is  not  needed  with  this  interpretation  since  the  sum  of 
Poisson  random  variables  is  known  to  be  asymptotically  normal.) 
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Suppose  we  now  make  interpretation  II,  restricting  our  attention 
to  the  case  when  the  event  [S^  =  t^]  is  observed.  Since  has 

the  density  given  in  (3.7)  one  checks  that  for  b  *  1,2,  given  that 


ni  -  3 


ES"b  =  Ab/  n  (n  -J) 
J-l 


From  this  one  shows  that 


n  .  A  .  2 


var(^) 


i  i  f  1  ~ 
n^-1  n^-2 


If  we  substitute  A^  for  A^  in  the  expression  for  o  we  obtain  the 


estimate 


a2  -  IVTi(1  -“X1  -f> 

j  i  i  n.  n. 


which  can  be  compared  with  the  estimate  for  o  obtained  under  interpre¬ 
tation  I.  One  sees  they  are  nearly  the  same  only  if  n^,  which  is  re¬ 
quired  to  exceed  2,  is  large. 


We  then  have,  under  either  interpretation. 


(4.3) 


.n; 

a 


<  -  z 

z 


1  -  c. 


where  z  is  the  100&  percentile  of  the  standard  normal.  By  algebra 
we  find  (4.3)  is  equivalent  with 


p[e-S<X>  >  e'«E]  « 


w-rf***** 
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where  W 

c 


is  a  random  variable  given,  say  under  interpretation  I,  by 


(4.4) 


W 

£ 


Thus  for  any  c  (for  our  application  near  one,  say  .95),  e  1 
gives  asymptotically  a  lower  confidence  bound  of  level  e  on  the  true 
reliability.  Notice  that  if  no  failures  occur  for  the  i^  component  no 
account  is  taken  of  them  in  the  equation  (4.4)  and  indeed  under  inter¬ 
pretation  II  we  must  have  at  least  three  failures  to  take  account  of  a 
component . 

5.  The  Asymptotic  Likelihood  Ratio  Method 


Again  we  make  interpretation  I  and  examine  the  data.  The  total 
test  time  t ^  ,  we  consider  as  a  parameter,  and  the  number  of  malfunctions 
is  a  random  variable  N  .  As  is  well  known,  p.  10  ref.  [7],  the  number 
of  malfunctions  in  an  exposure  period  of  length  t^  has  a  distribution 
given  by  (3.2).  Using  the  notation  of  section  4,  the  likelihood  function, 


given  the  parameter  vector  X,  is 

m 


L*(X)  =  T^{-X.t.  +  n,ln(A  t  )  -  ln(n.!)}. 

JJ  J  jJ  J 


The  reliability  for  the  system  with  a  given  mission  length  and 
given  6-factors  is 


h ( A )  =  exp{- ^ \  .6  . ) . 

j-1  2  2 


We  now  state 
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Theorem  3.  If  the  hypothesis  h(A)  -  r  is  true  then  the  likelihood 
ratio,  -2£nL(r),  where 

(5.1)  L(r)  =  sup  L*(A)  -L*(X ) 

{ A  :h(A)  =  r) 


has  asymptotically  a  Chi-square  distribution  with  one  degree  of  freedom. 

A  proof  is  found  in  many  texts  for  example  Wilks,  p.  419  [15].  At 
this  juncture  we  notice,  were  we  to  make  interpretation  II,  that  the  like¬ 
lihood  function  given  in  (4.0.1)  of  the  event  defined  in  (3.5)  is  the  same 
as  L*(A),  except  for  some  constant  not  depending  upon  A^.  Hence  whe¬ 
ther  we  make  interpretation  I  or  II  the  function  L(r)  defined  in  (5.1) 
would  be  the  same. 

Since  L*(A)  is  the  supremum  of  L*(A)  over  all  admissible  values 
of  A  it  is  easily  found.  The  first  term  is  more  difficult  since  we 
seek  the  maximum  of  L*(A)  under  th  r;  constraint  h(A)  -  r  with  r  fixed. 

We  follow  a  procedure  for  binomial  data  first  proposed  by  Madansky  in  [9] 
for  series  systems  and  then  generalized  to  arbitrary  systems  in  [10].  The 
procedure  is  to  maximize  L*  under  the  constraint  by  using  a  LaGrange 
multiplier  6.  Setting 

r-— [L*(a)  -  6£,nh(A)  ]  «  -t.  +  -1  +  66,  -  0, 

°A,  J  A,  J 


and  solving  yields 


Aj(6) 


v6Bj 


j-i 


,  m. 


Call  A (6)  the  vector  solution.  Note  that  A  *  A (0) .  We  now  define 

A(x)  -  L*[A (x)  ]  -  L*(A) 


'V 


where  we  have  used  Che  definition  (4.2).  We  want  to  solve  for  the  value 
of  x  >  0  sue!,  mat  for  a  given  level  e 


(5.2) 


A(x)  =  -  |  x£2(l> 


2  t  h 

where  y^(l)  is  the  percentile  of  the  Chi-square  random  variable 

with  one  degree  of  freedom.  Call  the  solution  of  (5.2)  the  value  x  . 


Then 

(5.3) 


h(A(x  )  ]  *  exp{- £ 


1  Tj“Xe 


is  an  asymptotic  lower  bound  for  h(A)  of  level  rather  than  of  level 

e ,  since  we  obtain  only  a  one  sided  confidence  bound. 


We  now  exhibit  a  method  for  the  determination  of  x  .  For  a  given 

E 

1  2 

e,  set  B  ■  53n.  +  "r  X  (1)  ,  then  for  each  B  >0  there  exists  an  x  >  0 
e  “  i  2  e  e 

1  12 
such  that  f(x)  *  0,  where  f(x)  -  -A(x)  -  -  x  (1). 


We  can  write 


The  solution  of  f(x)  *  0  must  be  unique  since 


m  n . 


f'(x)  -  x£  - i-T  >  0 


i-1  (T.-x)‘ 


whenever  0<x<t/,.*  min(x  ,...,t  ) 

(1)  1  nj 


But  note  that 


n>  (  t  .  +x) 
f"(x)  -  £n  - * — 3 

i“l  (Ti-x)J 
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Thus  we  see  that  both  f ' ,  f"  are  continuous  and  do  not  vanish  for 
0  <  x  <  which  is  a  sufficient  condition  that  the  Newton  iteration 

procedure,  namely 

f(Xn 

n-1  ,  „ 

x  -  X  .  ™  r i  /  v  n*l }2 1 • » t 

n  n-1  f'(x  .) 

n-i 

will  converge  to  the  value  x^ . 

6.  Bayesian  Confidence  Intervals 

Let  us  now  outline  the  Bayesian  method  of  obtaining  confidence  limits. 
Suppose  that  tt(X)  is  a  given  prior  density  of  the  parameter  X,  here 
taken  as  one-dimensional  for  illustrative  purposes.  If  X  is  known  then 
a  sample  x  of  independent  iaentically  distributed  observations  from  a 
population  with  that  parametric  value  is  p(x|x).  Then,  following  Lindley 
[8],  pp.  1  and  2,  the  posterior  density  of  X  based  on  the  evidence  x  is 

f  (X  j  x)  *4p(x| X)tt(X)  . 

Now  if  I  (x)  is  any  interval  of  X  depending  on  x  and  e, 

e 

0  <  c  <  1,  such  that 

(6.1)  /le(x)f<‘lx)dX  ■  c’ 

then  I  (x)  (p.  15,  Lindley,  loc.  cit.,)  is  called  a  I00z%  Bayesian 

G 

confidence  interval  of  X  for  given  x. 

If  we  desire  a  Bayesian  confidence  interval  on  X  *  X^  +  X2  and  we 
have  posterior  densities  of  X^,  X^,  call  them  f^  and  f ^  then  from 
an  assumption  of  independence  of  these  posterior  densities  one  can  obtain, 


via  the  calculus  of  probabilities,  a  posterior  density  of  A^  +  >. 


as 


the  convolution  . 

f  *f2(X)  -  /  f  (A-t)f  (t)dt 
0 

and  use  fj*^  to  calculate  an  upper  confidence  bound  on  A  from  (6.1). 

This  is  essentially  the  method  that  has  been  recently  utilized  to  obtain 

confidence  bounds  on  the  reliability  of  series  systems  and  is  presently 

the  subject  of  much  interest.  (See  (14],  (16]  and  the  references  given  there.) 


If  the  data  x  «  (x. . ,x  )  where  x.  ■  (t.,n.)  is  given  we  may 

i  m  i  I  i 

make  either  interpretation  I  or  II.  We  decide  whether  one  regards  the 
time  until  the  n^*1  malfunction  as  an  observation  from  a  random  variable 
with  parameter  n^j*  0)  fixed  or  the  number  of  malfunctions  n1  as  an  ob¬ 
served  value  of  a  random  variable  when  the  time  of  testing  t^  is  given. 

In  each  interpretation  as  we  now  show  we  are  lead  to  the  following:  the 
probability  of  observing  the  event  x^  given  a  value  of  A^  is 


(6.2) 


p(3Ci.  I  X±) 


AiCi  n 
e  1(Xit1)  i 


Under  interpretation  I  we  regard  x^  as  the  event  (N^  *  n^ ]  where 
is  the  Poisson  random  variable  with  density  (2.2).  Hence  we  have  (6.2) 
directly. 

Under  interpretation  II,  n^  is  fixed  and  the  time  until  the  (n^+Dst 
malfunction  is  the  random  variable  +  T^(n,+1).  Now  x^  becomes 

the  event  (3.4),  and  we  want  to  evaluate 


P(x. 1 A  )  -  P[S  1  t  ,  S  5  t  ]. 
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i 

But  the  right  hand  side  is  the  difference  of  the  convolutions 

Gni  (t.)  -  ‘J  (t.),  where  G  is  the  exponential  distribution  of 

1  1  l 

the  time  between  failures  with  hazard  rate  X^.  This  difference,  p.  11  [7], 

! 

is  equal  to  (6. 2) .  j 

] 

From  Bayesian  Principles,  using  either  interpretation  I  or  II,  one  obtains 

the  same  joint  posterior  density  of  (X A  ) 

1  m 

m 

f(Xl»-  **  •AjV-'-.V  °<  n  p(xi|Xi)rr(X . Am) 

i*l 

where  n  is  the  joint  prior  density  of  (A.  ,...,X  ). 

1  m 

7.  The  Principle  of  Insufficient  Reason 

I  now  mention  an  approach  which  has  been  called  a  majo  breakthrough  in 
the  analysis  of  confidence  levels  for  system  reliability.  This  is  because 
it  leads  to  an  answer  which  is  theoretically  exact  and  does  not  depend  upon 
an  approximation  to  an  asymptotic  distribution. 

This  approach  is  the  Bayesian  method  with  the  special  prior  density 

(7.1)  tt(A)  e  1  for  all  >  0. 

This  assumption  is  justified  by  the  so  called  principle  of  insufficient 
reason ;  since  we  know  nothing  specific  about  it  we  have  insufficient  rea¬ 
son  to  take  7T ( X )  anything  but  uniform.  Strictly  speaking  it  as  defined 
in  (7.1)  is  a  non-probabilistic  prior.  But  of  course  one  could  consider  it 
an  approximation  to  a  prior  density.  There  have  been  several  attempts  made 
to  use  this  general  approach  for  confidence  intervals,  in  particular  see  [1). 
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However  from  (7.1)  we  have 
f(A|x) 


nj 


m 


(At.)  1  -X . t . 

n  1  1 

«  *  *  n. . 
i=*l  i 


for  >  0. 
i 


The  mathematical  problem  becomes  that  of  finding  the  distribution  of 
(7.2) 


m 


v-pih 


where  8^  are  known  constants  and  A^  are  fiducial  gamma  variates  with 


known  scale  and  shape  parameters.  To  wit,  each  is  f(t  ,n  +1)  where 

.1  J  J 


f(t,v)  denotes  the  law  with  density  ,  give  v  >  0 


(7.3) 


1  v  v-1  -tx  , 

t  x  e  for  x  >  0. 


T(v) 


We  also  quote  two  related  results:  Feller  II  loc.  cit. 


If  Aj  is  I(tj,Vj)  then  t^A^  is  f(l,v  ) 


If  Vj  >  1  then  Aj  =  Aj  +  Aj'  where  Aj  is  T(t^,l) 


independent  of  A^'  which  is  f(tj»v  -1). 


Thus  by  the  first  remark  we  see  that  in  distribution 

m 


where 


v*?Vj 


6 


i  1 

b  =  T*1  -  —  j-1,.  .  •  ,m 

J  j  j 


and  each  A^  is  now  rd.n^+l).  By  the  second  remark,  for  the  data. 


given  in  Table  I  from  the  Sl-C,  (where  we  have  at  most  two  failures)  we 
see  that  in  distribution 


*  We  shall  use  the  word  "fiducial"  to  apply  to  variates  which  are  the 
construct  of  prior  knowledge  and  hence  represent,  to  a  degree,  per¬ 
sonal  belief. 


(7. A) 


m  r  s 

v  -E^i  Vj  +?bA 


where  s  is  the  number  of  components  with  two  failures  during  testing 

r-s  is  the  number  of  components  with  one  failure  .during  testing 

ra-r-s  is  the  number  of  components  with  no  failures  during  testing 

and  Vj  ,  are  all  independent  T ( 1 , 1 )  i.e.  exponential  with  unit 

mean,  variates. 

We  now  quote  a  well  known  result  proved,  for  example,  in  [13]  as  a 

Lemma  1:  If  . Z^  are  independent  exponential  random  variables  with 

unit  mean  then  for  b^  >  0,  all  distinct,  we  have 


(7.5) 


k  -u/b 

1 


P[&iZi  >  «]  «  £BWe 

1  J-l  J 


where  B, 


1  and  for  k  >  2 


(7.5.1) 


kb, 

B  '  *  vT 

J  1  =  1  j  1 


for  j-l, ... ,k. 


Also  these  recursion  relations  hold 


Btk)  '  Bjk"1>bl/<bj"bk>  1  =  1 . k_1  ar“J  Bkk) 


1  -  £B  • 


Also  we  have 


ID  l 

Lemma  2:  The  distribution  of  ]Cb,z4  + 

1  1  1  i  1  J 


£  £B(n)B(r){l  "  e  J  -  M(i,],t))  for  t  >  0, 
i-1  J-l  J  J 


where  we  set  Cj  -  1/bj  for  j-l , . . . ,max(m,r) 


<Hi,j  ,t) 


L 

f  exp{-c. (t-y)  -  c 
0  1  J 


-c .  t 
1 


te 


-c.t  -c  t 
e  1  -e  j 
c  -c 

j  1 


y}dy 

if  i  =  j 
if  i  i  j 


The  proof  is  accomplished  by  the  convolution  of  two  distributions  each 
of  the  form  given  in  lemma  1.  Consider  the  more  general  definition 

k 


K  “j 

vk  ’  E  t,  Vn 

J-l  i-1  1 


where  the  are  all  independent  exponential  variates  with  unit  mean. 


Let  have  distribution  then 


“k 


V,  -  V,  .  +  T^b.X..  . 

k  k-1  "  i  lk 

i*l 


Defining  F  =  1  -  F  with  any  affixes,  and  taking  as  given  in  lemma  2, 

\ 


:(u)  '  |P[1?1  biXik  ”  u'v]dFk-l(v) 

i  (mkM  r  ~(u~v>c1 

=  Fk_i(u)  +  s  Bi  y  e 

i-l  '0 


dFk-l(v) 


But  the  quantity  in  braces  in  the  equation  above  becomes 


U 

{...}  =  F^^uJ-e  UCl-c.y  Fk-1(v)e  ^U"V^Cidv 


Hence  we  have  shown  the  following 
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Lemma  3:  The  survival  probability  of  as  defined  in  equation  (7.6) 

is  given  in  terms  of  the  survival  probability  of  ^  as 


Note  that  (7.7j  can  be  used  to  prove  lemma  2  and  used  recursively, 
by  computing  machine,  to  find  the  distribution  of  easily  for  small  k. 

8.  Malfunction  Modes 


A  subsystem  containing  several  components  can  fail  by  having  different 
components  fail  but  moreover  each  component  itself  may  fail  in  different 
ways.  For  example  a  gimbal  may  shatter  or  crack, or  a  hose  coupling  can 
either  rupture  or  leak.  These  separate  ways  of  failure  are  called  failure 
modes.  Of  course  we  talk  about  failure  modes  in  an  intuitive  sense  when 
in  fact  we  mean  the  ways  a  component  can  malfunction  and  we  do  not  mean  to 
imply  that  a  malfunction  need  necessarily  cause  a  system  failure.  We 
shall  without  deference  to  established  convention  use  the  nomenclature 
malfunction  modes. 


We  assume 

4°  The  time  until  malfunction  in  each  mode  has  constant  hazard  rate 
for  each  component  and  all  are  independent. 


Suppose  we  separate  the  possible  modes  of  malfunction  for  the  j*"*1 
component  into  k  classes  which  are  functionally  independent,  then  label 
the  time  until  malfunction  T, 


ij 


for  the  iC^  mode  of  the  component, 


The  time  until  malfunction  of  the  component  by  any  mode  is 


Tj  =  minCT^  ,.  .  .  .T^) 
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and  the  hazard  rate  of  T 


j  is  xj  '  £  ‘u  ul 


th  the  obvious  interpre¬ 


tation  of  A  as  the  hazard  rate  of  T .  Consequently  we  can  substi¬ 
tute  either  component  hazard  rates  or  hazard  rates  by  separate  failure 
modes  interchangeably  within  the  fundamental  series  system  equation  and 
use  the  same  mathematical  treatment.  The  introduction  of  this  classifi¬ 
cation  by  failure  mode  may  be  an  extension  of  the  model  for  classification 
by  components  or  it  might  be  a  refinement. 


Without  any  real  loss  of  clarity  to  the  fundamental  ideas  let  us  fix 
our  att  ntion  on  a  component  with  two  separate  modes  of  malfunction  with 
fixed  hazard  rates  A^  and  A^,  say. 

Suppose  this  component  was  operated  for  a  time  t  and  no  failure  of 
either  type  were  observed.  Hence  by  the  first  Bayesian  method  the  posterior 
fiducial  distribution  of  the  component  hazard  rate  A(*=A  +A„)  considering 
the  component  as  a  unit,  is 


(8.1) 


1  -  e 


for  a  >  0. 


Note  that  for  a  mission  of  length  t 


1 [ A  <  a ]  =  P [ e  t>eat] 


3 1 

so  that  e  is  a  lower  bcund  on  the  mission  reliability  and  the  confidence 


level  is  P [ A  <  a] 


But  on  the  other  hand  by  considering  the  posterior  fiducial  distribu¬ 
tion  of  A^  +  A^  using  data  =  x2  =  (t,0)  and  the  first  Bayesian  method 
(and  the  principle  of  insufficient  reason)  we  have 

-at  -at 

1  -  e  -  at  e 


(8.2) 


for  a  >  0 
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as  the  posterior  fiducial  distribution  of  the  hazard  rate  of  A  of  the 
component.  But  notice  that  (8.2)  is  much  less  than  (8.1)  which  was  the 
fiducial  distribution  from  the  same  data  for  the  same  component.  If  by 
changing  our  interpretation  of  what  constitutes  a  component,  we  arrive  at 
different  answers  when  using  the  same  data, then  something  must  be  wrong. 
In  reliability  theory  one  man's  component  is  another  man's  system  and  the 
fiducial  distribution  from  che  same  data  should  be  the  same  regardless  of 
the  labeling  of  the  components. 


To  continue  this  point  further,  let  us  suppose  that  we  have  a  series 
system  with  separate  malfunction  modes  with  hazard  rates  each 

of  which  has  acquired  the  same  operational  experience  namely  ■  (t,0) 
for  i*l,...,k  i.e.  no  failures  during  operation  for  a  length  of  time  t. 
Again  by  using  the  principle  of  insufficient  reason  and  the  non-probabilis- 
tic  prior  density  we  have  by  the  first  Bayesian  method  the  fiducial  distri¬ 
bution  of  A  =  A,+.  . ,+A  as 
1  k 


k 

E 


-at.  .1 

e  (at) J 


j! 


which  approaches  zero  as  k  approaches  infinity  regardless  of  the  value 
of  ta  >  0. 


This  effect  is  why  reliability  managers  say  "the  system  is  all  richt , 
it  is  the  statistics  that  is  killing  us,"  see  [3].  I  maintain  that  a  proper 
model  in  these  cases  should  yield  exactly  the  same  fiducial  confidence  under 
any  interpretation  as  to  what  set  of  components  constitutes  a  subsystem.  It 
is  to  this  point  that  we  continue  to  write. 
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9.  Alpha  Factors 

We  do  not  regard  the  A^  as  independent  fiducial  random  variables 
having  a  distribution  which  is  to  be  constructed  from  prior  knowledge 
but  essentially  as  constants  which  are  unknown.  If  the  A^  were  unknown 
positive  real  numbers  then  there  would  exist  a  constant  of  proportionality  be¬ 
tween  any  two  A  *s  which  would  be  fixed  even  though  it  was  unknown. 
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In  the  case  m  =  2,  IKA^.A^)  is  zero  everywhere  but  along  the  ray 


A_  =  —  A  out  from  the  origin  in  the  (A  ,A  )  plane. 

1  1  I  z 

Following  the  general  Bayes  procedure 

m  n 

f  (A  I  x)  n  ( t .  A  )  ie‘tii  dn(A. . A  ). 

i=l  1  1  1  m 

m 

We  wish  to  find  the  posterior  density  of  ^B.A  .  We  make  the  change  of 

1 

variables  ■  B^A^  and  by  (3.2)  and  *  t^/B,  we  have 


m 


where 


f (p I x)  «<£(t  p  )ni  e  TiPi  dn*(p  , . . .  ,p  ) 
^3.  11  i  m 


"*<»! . ■  n(r- . 

1  m 


Thus 


(9.2) 


dn*(Pr. 


.P_) 

m 


>0  if  some  p,  ■ 


0  otherwise. 


°i8i°i 
a  B 

j  j 


for  i  i  j 


The  density  we  seek  is  proportional  to 

m 

(9.3)  J  J  ni(TiPi)°i  e-TiPi  dn* (p x . Pm) 

{ d :  ^PiMoij 


Consider  the  line  in  m-space 


MPj) 


a-B-  a  B 

,  2  2  mm  . 

P1 ’a, B,  Pl* " ’ ’ ’a, B,  Pl} 


1~1 


1M1 


By  equation  (9.2)  all  the  mass  of  fl*  is  concentrated  along  the  ray  £(p^) 
for  p^  >  0.  In  effect  the  only  quantity  that  has  a  distribut4on  is 
and  we  shall  later  see  it  makes  no  difference  what  this  distribution  is 
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as  long  as  it  has  support  on  (0,®).  This  line  intersects  the  plane 
m 

5^.0 .  =  a  at  a  single  point,  namely  p  such  that 
1  1  1 

m  a .  8 

P,  +  — ~r"  P  =  a 

1  i-2  al6l  1 


and  solving  for  p^  we  find  p^  =  y^  where  we  define 


(9.3.1) 


i  m 


i  =  l , . .  .  , tn. 


j-i J  - 


Then  the  value  of  p^  at  the  point  of  intersection  of  the  line  1  with 
the  plane  Lp^  -  a  is  *  ay^  for  i«l,...,m.  Since  all  the  measure 
of  n*  is  concentrated  along  the  line  the  Integration  over  the  plane 
ir;  (9.3)  yields  a  single  value  at  the  singularity  of  the  measure  It 

follows  that  the  density  we  seek  is  proportional  to  the  value  of  the 
integrand  at  that  point,  namely 


in  u  ^  m 

n  (t  ay  )  exp{-  £  t .ay  } , 
i=l  i-1 


If  we  define 


(9.4) 


k  =  En  , 
1 


which  are  a  weighted  mean  of  the  t 


and 


t*  **V'» 


the  total  number  of  failures,  respectively,  we  can  write  the  posterior 

m 

fiducial  density  of  ^d,  as 


(9.5) 

The  distribution  then 

(9.6)  P{IPi  < 


etoalV30 


is 


k! 

0U 


for 


»!-/ 


0 


k  -s 
s  e 

k! 


ds 


a  >  0. 


k  -Ou.,,  .j 

_  £  e 
j-o  j! 


But  we  recognize  this  as  a  Chi-square  distribution  and  if  we  set 

u  -  i*^(2k+2). 

where  we  have  defined  this  notation  in  (5.2),  we  have 

P[e"Z°i  >  e"U]  -  e. 

And  this  provides  a  lower  confidence  bound  of  level  e. 

We  now  make  some  observations  about  this  result. 

1)  Notice  the  confidence  bound  is  the  same  regardless  of  how  the  ccmpo- 

nents  are  apportioned  tc  subsystems  within  the  system.  In  particular  if 

t  ■  ...  =  t  we  obtain  the  same  fiducial  density  of  EB.X,  as  we 
i  m  J  i  i 

would  by  considering  the  system  as  a  single  unit. 

2)  The  addition  of  components  to  the  system  none  of  which  have 

failed,  i.e.  data  of  the  type  (t^,0),  do  not  necessarily  cause 
the  confidence  to  go  rapidly  to  zero,  (of  course  the  confidence  does 
depend  upon  t^  through  0).  It  is  clear  from  (9.5)  that  it  is 
not  the  number  of  components  but  the  number  of  failures  which  force 
the  confidence  tc  zero. 


3)  A  knowledge  of  a-factors  is  required  to  utilize  this  posterior 
density.  However  this  does  not  mean  that  the  values  of  X  need 


be  known  but  merely 


that  engineering  experience  be  used  to  classify  all  the  failure  rates 
as  multiples  of  a  fixed  one,  say  the  lowest  one.  Usually  that  can  be 
done  at  least  in  a  conservative  manner.  But  we  assert  that  if  one 

Q 

believes  5  to  be  true  then  engineering  knowledge  wliould  be  expended 
to  obtain  information  about  the  ' s  rather  than  elsewhere. 

4)  It  is  apparent  from  (9.4)  that  increasing  the  length  of  testing 

for  a  component  for  which  is  high  will  yield  the  greatest  im¬ 

provement  in  confidence,  provided  no  failures  are  observed. 

5)  In  the  special  case  when  6°(t)  =  for  all  t  >  0  we  can 
make  an  intuitive  interpretation  of  y  as  the  conditional  probab¬ 
ility  of  failure  of  the  i  component  given  that  a  component  has 
failed.* 


* 

Label  the  events  ,  the  i*"  component  fails  and  ,  the  i^  compo¬ 
nent  malfunctions.  Now  by  definition 

-  PlFjMj  a.  -  PlMjZM  ] 

and  from  the  calculus  of  probabilities,  since  F^  C 

P(F.) 
ai3i  =  P(ZM  ] 

o 

and  hence  from  (9.3.1)  follows  “  P  l  F  f  1 2T  F  ] . 


10.  Numerical  Comparisons  and  Commentary 


In  this  section  we  perform  the  actual  computations  for  the  95% 
lower  confidence  limits  on  the  reliability  of  the  Saturn  1-C  using  some 
data  which  was  available  at  a  particular  time  during  its  preflight  pro¬ 
gram.  Since  this  will  be  an  illustrative  example  we  simplify  the  actual 
situation  by  taking  8°  =  1  so  that  8^  *  v^.  The  data  is  given  in  Table  I. 


Method  (1)  -  Asymptotic  Maximum  Likelihood 

Using  interpretation  II  we  can  take  account  only  of  data  for  which 
n^  >  2  of  which  there  is  none.  Using  interpretation  I,  we  can  take  ac¬ 
count  of  only  that  data  for  which  n^  >  0.  These  are 


(10.1) 


t  -  32.5 


7.5 


-  51.  8 

t  .  ■  17.  7 
4 

t5  -  8.0 

T,  -  7.5 


°1  "  2 
n2  *  2 

n3  ■  1 

°4  "  1 


n5  -  1 


n6  -  1 


Now  set  c 


,95,  *  1.645  and  by  equation  (4.4) 


UC  ’?V7+1-64 5\/£"ri'2 


.663  +  1.645/. 0746  -  .898 


-w. 


Hence  based  on  the  validity  of  the  assumptions  made,  e  e  -  .406  is  the 


approximate  95%  lower  confidence  bound  on  the  true  reliability  of  the  system. 
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Method  (2)  -  Asymptotic  Likelihood  Ratio 

We  can  now  make  either  interpretation  however,  as  in  Method 
1,  we  can  utilize  only  tne  data  with  n^  >  0  given  in  equation 
(10.1)  above.  Applying  the  Newton  procedure  as  mentioned  we  obtain  for 
this  data  the  solution  of  equation  (5.2),  for  e  =  .90,  as  x  =  3.84. 
From  equation  (5.3)  we  find 


£ 


1 


n , 

L 


t  ,-y 
1  c 


1.23 


-1  23 

Thus  based  on  the  validity  of  the  assumptions  for  this  case  we  find  e  '  =  .292 

is  an  approximate  95%  lower  confidence  limit  for  the  system  reliability. 


It  would  seem  that  one  could  have  no  confidence,  in  the  intuitive 
sense,  in  the  confidence  (in  the  precise  sense)  level  which  is  obtained 
by  either  of  these  two  methods.  This  is  because  no  account  is  taken  of 
the  larger  part  of  the  data  namely,  those  components  for  which  no  failure 
was  observed  during  testing.  Thus  whether  there  were  sixty  or  sixty  thou¬ 
sand  components  in  the  system  which  experienced  no  failures  during  the 
test  program  the  confidence  limits  would  be  the  same. 


Second,  the  conditions  are  just  not  known  which  are  necessary  to  enable 
one  to  assume  that  the  distribution  of  the  statistics  in  question,  for  the  finite 
sample  sizes  which  are  obtained,  can  be  adequately  approximated  by  their 
asymptotic  distribution. 

Method  (3)  -  Bayesian  Method  with  Uniform  Prior 


Using  the  computational  methods  set  forth  in  section  7,  a  machine  pro¬ 
gram  was  written  for  the  IBM-360,  using  double  precision  for  the  computation 
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00 

of  the  ,  which  tabulates  the  distribution  of  the  random  variable  V 

defined  in  (7.4).  This  distribution  is  graphed  in  figure  1  from  the 
machine  run  using  the  data  presented  in  Table  1. 

m 

The  fiducial  random  variable  V  =  ^6,X  has  distribution  F 

1  1  1 

which  we  calculate  in  the  region  of  interest.  Since 


P[exp{-IB^XO  2.  e  V]  *  F(v) 


we  find  that  if  v  =  12.8,  F(v)  *  .95  and  then  based  on  the  assumptions 

necessary  for  this  method  the  95%  lower  Bayesian  confidence  limit  for  the 

—  12  8 

system  reliability  is  e  .  This  result  needs  no  comment.  Every  per¬ 
son  responsible  for  the  reliability  program  had  at  least  95%  confidence, 
in  the  intuitive  sense,  that  the  true  reliability  exceeded  t’.is  number  be¬ 
fore  any  statistical  analysir.  was  initiated!  Making  confidence  statements, 
such  as  the  above,  to  managers  of  reliability  programs  tends  to  put  statistics 
in  a  bad  light.  (Recall  the  statements  just  preceding  section  7.) 


A  word  about  the  c«  mputational  difficulties  of  this  method.  It  is 

clear  from  Table  1  that  the  differences  of  the  are  small  compared  with 

(k) 

their  magnitude.  A  gJ  mce  at  the  formula  for  the  Bj  in  equation  (7.5.1) 

shows  that  in  absolute  value  they  can  become  very  large.  (In  fact  for  such 

data  as  we  havt  for  70  components,  valutas  high  as  102°  are  not  impossible), 
(k) 

Since  all  Bj  summed  over  j  must  add  to  unity,  some  must  be  positive 
and  some  negative.  Hence  at  v  =  0,  by  definition  we  should  have  F(v)  -  0. 
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However  because  of  the  nature  of  the  machine  decimal  arithmetic,  the  sum¬ 
mands  will  be  rounded  off  and  the  machine  value  will  not  be  unity.  For 

example  referring  to  figure  1,  had  we  continued  to  plot  the  values  compu- 

-3 

ted  at  v  =  3.2,  the  machine  computation  was  F ( 3 . 2 )  =  .699  x  10  but 
at  v  =  2.4,  F(2.4)  *  -.123  x  10  ^  with  wider  fluctuations  for  smaller 

values  of  v.  Fortunately  we  are  interested  in  those  values  of  the  argu¬ 
ment  for  which  F ( v)  is  near  one  and  the  values  of  v  necessarily  become 
large  enough  to  eliminate  the  errors  due  to  this  circumstance. 

Method  (4)  -  Alpha  Factor  Method 

The  computation  necessary  for  this  method  is  trivial:  we  need  com¬ 
pute  only  the  two  quantities  k  and  G  and  then  from  a  table  of  the 

2  Ll 

Chi-square  distribution  calculate  u  =  xf(2k+2)/20  and  e  becomes 
the  lower  confidence  limit  at  level  e. 

Example  1 : 

Let  us  suppose  that  v^  ■=  ~  for  i*l,...,m.  We  recall  that 
under  certain  conditions  this  would  mean  the  event  any  one  par¬ 
ticular  component  had  failed,  knowing  that  exactly  one  component 
was  in  a  failed  state,  was  equally  likely  with  the  event  any  other 
component  had  failed. 

From  Table  I  we  find  k  =  8  and  compute  from  (9.4),  0  =  Ir^/m  = 
and  hence  for  c  *  .95,  using  the  Chi-square  value  for  16  degreed  of 
freedom,  we  have  u  ■  (28.87)/51  =  .565.  Thus  e  U  =  .57  is  a  lower 
95%  confidence  limit  for  the  systems  reliability,  based  on  the  validity 


25.5 


of  the  assumptions. 


Example  2 : 

Let  us  suppose  a  «  —  for  i-l,...,m  and  from  Table  I, 
we  again  use  (9.4)  to  compute  0  =  (Et^^)  =  16.27.  For 

k  =  8,  e  =  .95  we  find  u  -  (28 . 87) / (32 . 54)  =  .887  and  e_U  -  .412 
is  the  lower  95%  confidence  limit  for  the  reliability  of  the  system. 

Example  3: 

Assume  the  failure  rate  A  is  proportional  to  the  complexity 
of  the  component.  Thus  a  is  proportional  to  the  (fictitious) 
weights  given  in  the  last  column  in  Table  I,  to  wit,  we  take  w^^  =  Ka  . 
We  then  use  (9.4)  to  compute  0  «  (Et^J/dS  o^)  -  32.11.  For 
k  =  8,  c  =  .95 ,  u  ■  (28 . 87) / (64 . 22)  ■  ,45  and  e  U  *  .64  is  the 
lower  95%  confidence  limit  for  the  reliability  of  the  system. 

One  notices  that  for  ease  of  computation  method  (4)  is  to  be  pre¬ 
ferred  since  it  does  not  require  more  than  a  desk  calculator.  Moreover 
the  answers  seem  to  be  uniformly  higher  than  those  obtained  by  the  other 
methods  considered.  Lastly,  the  three  examples  show  there  is  a  robust¬ 
ness  concerning  the  value  of  vi  that  are  obtained.  This  helps  to  allay 
the  fears  of  limitation  of  this  method,  namely,  the  necessity  of  exact 
determination  of  the  a^.  Nonetheless,  knowledge  of  the  are  what 

is  really  needed  to  determine  the  confidence  limit,  thus  it  would  seem 
that  engineering  and/or  statistical  effort  should  be  expended  in  an  at¬ 
tempt  to  determine  them  (or  approximate  bounds)  rather  than  being  ex¬ 
pended  in  the  determination  of  the  parameters  of  prior  distribution  of 
the  components  failure  rates. 


2 


-36- 


Concerning  the  alpha  factor  method  the  author's  sentiments  are 
best  described  by  a  remark  of  L.J.  Savage.  "If  Bayesian  techniques 
are  applied  to  situations  in  which  they  give  ridiculous  answers  I 
want  no  part  of  their,  however  if  they  can  be  utilized  to  give  wise 
answers  in  situations  which  cannot  be  treated  by  other  methods  then 
I  favor  their  use." 


TABLE  1 

Summary  of  test  data  for  Saturn  I-C 
test  time  in  mission  lengths,  n^  =  number  of  failures  observed 


v.  =  component  multiplicity, 
weights  of  relative  complexity 


"t .  =  t  Jv>. 
1  i  1 


318.5 

138.8 
69.4 

159.2 

187.9 

144.9 

69.7 

148.7 

146.8 

15.1 
7.5 

120.7 

113.1 

98.1 

92.8 
9.0 

97.9 

87.3 

26.4 

83.7 

14.1 

41.5 
7.5 

15.1 

11.3 

29.3 

82.9 
7.5 

20.8 

52.8 

51.8 

65.3 

66.2 

65.2 


19.9 

8.7 
4.3 

39.8 

23.5 

36.2 

17.4 

37.2 

36.7 

7.5 
.63 

30.2 

37.7 

98.1 

92.8 
9.0 

7.6 

21.8 

26.4 

20.9 

14.1 

41.5 

3.8 
5.0 

5.7 

5.9 

82.9 
7.5 

10.4 

52.8 

51.8 

65.3 

66.2 

32.6 


48.7 

33.9 

30.2 

45.7 

36.5 

50.6 

45.2 

22.6 

37.7 

49.9 

34.3 
37.7 

11.3 

15.1 
226.1 

30.3 
32.0 

179.0 

32.5 

75.4 
191.9 

34.6 

17.7 

73.6 

88.6 
8.0 
1.6 
2.4 

18.9 

11.1 

14.9 
13 

7.3 


48.  7 

33.9 

30.2 

45.7 

36.5 

28.3 

22.6 

11.3 

18.8 

49.9 

34.3 
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